Modal Functional (Dialectica) Interpretation

We adapt our light Dialectica interpretation to usual and light modal formulas (with universal quantification on boolean and natural variables) and prove it sound for a non-standard modal arithmetic based on Goedel's T and classical S4. The range of this light modal Dialectica is the usual (non-modal) classical Arithmetic in all finite types (with booleans); the propositional kernel of its domain is Boolean and not S4. The `heavy' modal Dialectica interpretation is a new technique, as it cannot be simulated within our previous light Dialectica. The synthesized functionals are at least as good as before, while the translation process is improved. Through our modal Dialectica, the existence of a realizer for the defining axiom of classical S5 reduces to the Drinking Principle (cf. Smullyan).


Introduction
The present work supersedes the functional synthesis technique outlined in our previous paper [HT10] by adding a useful device for (homogeneously) combining the effect of previous optimizations by partly and fully uniform quantifiers in a compact releaser of constructive potential, namely the modal operator (and its weak co-modality ♦ ≡ ¬ ¬ ). Proofs which are not necessarily prima facie constructive may yet potentially contain constructive content; in order to make use of this constructive 'charge' contained in a (non-constructive) proof, various 'release' instruments have been created over the past decades.
We will prove that is not "syntactic sugar" over the functional interpretation of [HT10], but a genuinely new device (albeit synthesized out of previous works), cf. Section 4.3. We also bring the following result (cf. Theorem 4.2): while the modal propositional axioms of system S 4 are realizable, the defining axiom of S 5 is not realizable, in general, under the modal functional interpretation, by primitive recursive functionals of finite type.
The use and interpretation of modal operators in this paper were inspired by the work of Oliva (partly joint with the first author, see [HO08]) at the linear logic level, see [Oli07,Oli12]. It is no coincidence that, at formula level, our interpretation of A is syntactically the same as Oliva's modified realizability interpretation of ! A in intuitionistic linear logic. However, a certain detour would be needed in order to simulate A in terms of ! A, which may be less suitable for the processing of natural proofs by humans (see Remark 1.23 in [Gir87]).
The second author independently noticed the possibility of using the same supra-linear modal operators for light program extraction in [Tri09], see also [Tri12]. However, the initiative of studying the full employment of for more efficient functional synthesis in the formal context of the negative fragment of first-order modal logic (cf. Schütte [Sch68] and Prawitz [Pra65]) is due to the first author. As we will see, for our extractive purposes it is useful to depart from Schütte's original semantics for quantified modal logic. For example, the propositional fragment of our first-order modal systems is not modal, but purely boolean, as p ≡ p ≡ ♦ p for propositional atoms p. We thus design two non-standard modal arithmetics, NA m ⊂ NA m l , for functional program synthesis. The soundness of these input systems is syntactically given via our (light) modal functional interpretation by the target system, namely classical decidable-predicate Arithmetic with higher-type functionals, in a Natural Deduction presentation. 3 For an easier exposition we will give up the 'non-standard' prefix. Throughout the paper, our modal Arithmetics are non-standard (relative to the conservative extensions of S 4 due to Prawitz and Schütte) but they resulted in a natural manner relative to the Dialectica interpretation. It turns out that NA m intrinsically relates to the modally closed subset of Prawitz's C S5 (cf. [Pra65], page 77); see also Remark 4.4.
Note that there was some attention to formalizing Quantified Modal Logic stemming from Artificial Intelligence (cf. [FHD12]) and there is a dedicated Chapter 12 in [NvP11].

Arithmetical systems for light and / or modal Dialectica extraction
We build upon functional arithmetical systems NA and (the light annotated) NA l from [HT10]. While the verifying system NA basically is the Arithmetic Z of Berger, Buchholz and Schwichtenberg [BSB02] in a slightly different presentation which is more suitable for light functional synthesis and features classical logic (without strong existence) and full extensionality 4 , its light counterpart NA l is only partly classical.
Moreover, the input system NA l is weakly extensional and its contraction (and hence also induction) rule is restricted for soundness of the (light) functional interpretation of NA l into NA . In computing terms, the program synthesis algorithm provided by the light Dialectica (of [HT10], as inherited from the one 5 of [Her06]) produces correct output only modulo the above-mentioned restrictions on Extensionality and Contraction 6 . If not for the weak extensionality, NA l were a conservative extension of NA .
For (light) modal functional synthesis we will use the same verifying system NA . The simpler input system NA m is obtained by adding to a restricted variant of NA . This (weakly extensional) modal Arithmetic will be proved sound via the modal Dialectica 3:4

D. Hernest and T. Trifonov
Vol. 17:4 interpretation. The fully-fledged input system NA m l adds to NA m all light universal quantifiers and is a modal extension of NA l ; its soundness will be given by the light modal Dialectica interpretation. Together with our new systems NA m and NA m l we will also present the relevant details of arithmetics NA and NA l . Nonetheless for the full picture 7 we refer the reader to [HT10] (see also [Tri09] for a more complete picture).
We will use the same kind of Natural Deduction ("ND") presentation 8 of our systems, where proofs are represented as sequents Γ B , meaning that formula B is the root of the ND tree whose leaves Γ are typed assumption variables ("avars") a : A . Here formula A is the type of the avar a and Γ is a multiset (since there may be more leaves labeled with the same a : A , cf. [Pra65]-Appendix C- §2, "Variants of Gentzen-type systems").
The sets of finite types T , terms T (of Gödel's T ), formulas F (of NA ) and F l (of NA l ), and, with the addition of , formulas F m of NA m and F m l of NA m l are defined as follows: For simplicity we employ two basic types: integers N and booleans B , and use ρ σ τ for ( ρ ( σ τ ) ) . Building blocks for terms are the constructors for booleans [ T , F ] (true and false, both of type B ), integers [ 0 , S ] (zero, of type N and successor, of type N N ), T -polymorphic case distinction If and T -polymorphic Gödel recursion R . Atomic formulas at ( t B ) are decidable by definition, as they are identified with boolean terms t B . In particular, we have decidable falsity ⊥ :≡ at ( F ) and truth :≡ at ( T ) . We abbreviate A → ⊥ by ¬ A . The partially light universal quantifiers ∀ + , ∀ − (partly computational) and ∀ ∅ (non-computational) are inherited from [HT10].
The universal quantifier ∀ , axiomatized as usual in Natural Deduction, will have full computational content in the input systems. The weak existential quantifier ∃ is defined for formulas in all our systems as ∃ x ρ A :≡ ¬ ∀ x ρ ¬ A . The weak co-modality operator ♦ is defined for formulas in F m and F m l as ♦ A :≡ ¬ ¬ A .
7 In this paper we give a more detailed treatment of induction for numbers and we correct the typo in the definition of CMP: on page 1382 of [HT10], it is s instead of x and t instead of y, cf. (2.1) and Section 2.4. 8 A similar presentation style was employed by de Paiva in her categorical approach to linear logic (with modalities, see Sections 1.5 and 4.6 of [dP91]), as imported from [GL87]. We purposefully avoid specifying types for terms insofar they can be deduced from the meta-context. In all our systems, the meta-operator FV ( · ) will return the set of free variables of its argument, which can be a term or a formula.
Term system T . Computation in our systems is expressed by means of the usual βreduction rule (λx.t)s → t[x → s] , together with the rewrite rules defining the computational meaning of If and R : Since this typed term system is confluent and strongly normalizing (cf. Section 6.2.5 of [SW11]), we are free not to fix a particular evaluation strategy. For simplicity, we will assume that all terms occurring in our formal proofs automatically get into normal form, as normalization is necessary only when matching terms in formulas. We thus avoid introducing equality axioms like in [Her06] and skip the corresponding easy applications of extensionality. In conclusion, some computations get to be carried out implicitly when building proofs in our systems 9 .
Using recursion at higher types we can define any provably total function of ground arithmetic, including decidable predicates such as equality Eq B for booleans and Eq N for natural numbers: :≡ λ x . R x λ y . R y T ( λ n, q B . F ) λ m, p N B , y . R y F ( λ n, q B . p n ) 2.1. The verifying system NA . The logical rules of system NA are presented in Table 2, with the usual restriction on ∀ i (universal quantifier introduction) that A ] denotes the unique occurrence of a : A in the multiset of assumptions of the premise sequent of → i . Thus a : A ∈ Γ , hence a : A is no longer an assumption in the conclusion sequent of → i . In the usual tree representation of Natural Deduction proofs, the leaf labeled " a : A " gets inactivated 10 , after (possibly) multiple of its copies had (all) been equalized to it via instances of the contraction anti-rule (henceforth called "contractions").
While for NA itself one could allow that all contractions be handled implicitly at → i , in relationship with the architecture of light input systems (e.g., NA l , cf. Section 2.2) we are compelled to introduce for NA the contraction anti-rule C in association with the corresponding C l (of, e.g., NA l , cf. Table 4).
We refer to contraction as "anti-rule", rather than "rule" because, despite the sequentlike representation of our calculi, in fact our formalisms are ND and in the ND directed tree CmpAx:      the representation of explicit contractions is by convergent arrows that go in the direction which is reverse to the direction of all the other rules 11 . We find it convenient to introduce induction for booleans and numbers as the rules presented in Table 5. Here we assume that the induction variables b B and respectively n N do not occur freely in Γ , nor ∆ , and that they do occur in the formula A .
The at ( · ) construction allows us to view boolean programs as decidable predicates. Given Ind B , its logical meaning is settled by the truth axiom TruAx , see Table 1. In this way we can define predicate equality at base types as and further at higher types, extensionally, as It is straightforward to prove by induction on ρ that = ρ is reflexive, symmetric and transitive at any type ρ . To complete our system, we include in NA also the compatibility (i.e., extensionality) axiom CmpAx , see Table 1. Note that ex falso quodlibet ( EFQ) ⊥ → A and stability ( Stab) ¬ ¬ A → A are fully provable in NA (cf. Section 1.4 of [Tri12], by induction on the logical structure of A , using TruAx and Ind B , see also Chapter 1 of [SW11] or [Sea]-10.6).
2.2. Input system NA l . Light formulas F l were built over usual formulas F of NA by adding three 12 light universal quantifiers: the non-computational ∀ ∅ and the two semicomputational ∀ + and ∀ − (see also Footnote 2).
Thus, system NA l refined the adaptation of NA (with CMP for CmpAx and C l for C) with introduction and elimination rules for the light quantifiers (see Table 3). These are copies of the regular ND rules ∀ e and ∀ i , but with the usual restriction on ∀ i that z ∈ FV ( Γ ) enhanced with the following conditions 13 referring to the interpretation of Γ l A : (+) in the ∀ i + rule, z may be used computationally only positively, i.e., z must not be free in the challengers of the translation of Γ (basically z ∈ ∪ n i=1 FV (t i ), cf. Statement 2.3) (−) in the ∀ i − rule, z may be used computationally only negatively, i.e., z must not be free in the witnesses of the translation of A (cf. Example 2.2; basically z ∈ FV (t 0 )) ( ∅ ) in the ∀ i ∅ rule, z may not be used computationally at all, i.e., both (+) and (−).
where all formulas in Γ are refutation irrelevant, i.e., the negative (challenge) position in their translation (cf. Section 2.3 below) is empty. The computationally irrelevant contractions of NA l (i.e., whose formula is refutation irrelevant) can 15 be handled implicitly at → i . The situation is different for those contractions whose formula is refutation relevant (i.e., the computationally relevant contractions), as we wanted to automatically ensure that their translation is decidable (instead of leaving the task of decidability check to the user, as we shall for the upcoming modal systems).
The decidability of their translation is necessary for attaining soundness.
Remark 2.1 (restriction on relevant contractions). We achieve a decidable translation by including in NA l the contraction anti-rule C l (see Table 4) where : all formulas A that are refutation relevant must not contain any ∀ + , nor ∀ ∅ . This triggered the addition to NA of an explicit (unrestricted) contraction anti-rule C which is needed in the construction of the verifying proof (it only applies to quantifier-free formulas | A | ).
We thus ensured that all contraction formulas that require at least one challenger term for their light interpretation would have quantifier-free (hence decidable) translations 16 . In [HT10], in order to avoid having to deal with any computationally relevant contractions implicitly at → i , we had constrained the deduction rules of NA l to disallow multiple occurrences of refutation relevant assumptions in any of the premise sequents 17 .
We here no longer need such an explicit constraint, given the stronger (yet equivalent) implicit constraint imposed by the requirement at → i that the cancelled assumption a : A is a singleton. It is thus left to the implementation to lean towards lazy handling of contractions (all gathered just before → i , suitable for parallel execution within eager environments, as hinted by [Her06]) or the second author's [Tri12] eager handling of contractions (so that 14 A formula is realization irrelevant iff its tuple of witness variables is empty. A formula is refutation irrelevant iff its tuple of challenge variables is empty. See the equivalent Remark 1 in Section 3 of [HT10]. 15 This was an instrumental compromise between the first author's implementation with tuples (cf. [Her06]) and the second author's implementation with pairs (cf. [Sea,Tri12], see also Section 7.4 of [SW11]). 16 For the (light) modal Dialectica we will upgrade this purely syntactical criterion used in [HT10] (as inherited from [Her06]), see Definition 3.6 at the end of Section 3. 17 Thus, whenever a double occurrence of a refutation relevant assumption were created in a conclusion sequent by one of the binary rules of NA l , such sequent could not be directly a premise for the application of an(other) NA l rule: the anti-rule C l had to be applied first, in order to eliminate the critical double. assumptions basically form a set) that turned out to be better suited for the lazy evaluation paradigm, or anything in-between 18 . While EFQ : ⊥ → A remains fully provable also in NA l (for all formulas A ∈ F l ) the situation changes for Stab : ¬ ¬ A → A in the case of many formulas A that feature light quantifiers in certain places 19 .
On the other hand, Stab is provable in NA l for A ∈ F or A conjunction-free.
2.3. Light functional interpretations. Any formula A of an input system is translated to a not necessarily quantifier-free formula | A | x y of NA so that x , y are tuples of fresh (not appearing in A) variables. The x in the superscript are the witness variables, while subscript variables y are the challenge variables.
Terms t substituting witness variables (like | A | t y ) are called realizing terms or "witnesses" and terms s substituting challenge variables (like | A | x s ) are called refuting terms or "challengers". The interpretation of specification A can be seen as a game 20 in which Eloise ( ∃ ) first and then Abelard ( ∀ ) make one move each by playing objects t and s of corresponding types for the tuples x and respectively y .
Formula | A | x y specifies the not necessarily decidable (as it were for Gödel's Dialectica) "adjudication relation". Eloise wins iff NA | A | t s .
Example 2.2 (Definition of light Dialectica translation of formulas, from [HT10]). The interpretation preserves atomic formulas, i.e., | at ( t B ) | :≡ at ( t B ) . Assuming | A | x y and | B | u v are already defined, The interpretation of the four universal quantifiers is (upon renaming, we assume that quantified variables occur uniquely in a formula): and also , see also [Koh08]) would not care much of where to handle relevant contractions, as it benefits from their easy realization via simple (default, or at most user provided) majorants. 19 As outlined in Section 3.1 of [HT10] and noted already in [Her06], the usual proof in NA of Stab (constructed by induction on A) unavoidably makes use of contractions over ¬¬(B ∧ C) for subformulas (B ∧ C) of A , and these are subject to the restriction for refutation relevant B ∧ C . Even when such subformulas do obey , they may lead to the failure of restrictions (+), (−) or ( ∅ ). 20 We acquired the game semantics interpretation (originating in [Bla92]) from works of Oliva. It is straightforward to compute (for weak existential counterparts ∃ x : The length and types of the witnessing and challenging tuples are uniquely determined for a given formula. [ Note that cf. Definition 3.1, Eloise will have a winning move whenever specification A is provable in the input system: the light interpretation will explicitly provide it from the proof of A , as a tuple of witnesses t [ such that FV ( t ) ⊆ FV ( A ) ] together with the verifying proof in NA of ∀y | A | t y (Eloise wins by t regardless of the instances s for Abelard's y ).
The following parameterized statement gives a practical pattern in which soundness theorems for Dialectica-based interpretations can uniformly be expressed in a ND setting. The metavariables ISys and VSys below stand for input and respectively verifying systems.

Statement 2.3 (generic soundness for Dialectica interpretations [ ISys, VSys ] ). Let
A 0 , A 1 , . . . , A n be a sequence of formulas of ISys with w all their free variables. If the sequent a 1 : A 1 , . . . , a n : A n l A 0 is provable in ISys , then terms t 0 , . . . , t n can be automatically synthesized from its formal proof, such that the translated sequent is provable in VSys , and the following free variable condition (c) holds: x 0 ∈ FV ( t 0 ) and FV ( t i ) ⊆ { w , x 0 , . . . , x n } . Here x 0 , . . . , x n are tuples of fresh variables, such that equal avars share a common such tuple.
In [HT10] the above was thoroughly proved for ISys ≡ NA l and VSys ≡ NA , except for the interpretation of CMP which we present below. Further in the sequel we also give a more detailed treatment of the induction rule for numbers, in order to motivate the introduction of the modal induction rule in Section 4.1.
2.4. Light Extensionality. We here give the interpretation of (2.1). By definition of equality at higher types, s = ρ r is ∀z . s z = r z , hence a purely universal formula. We are given that , A 0 is s = ρ r and x 0 corresponds to z , thus the above is more conveniently rewritten as To this we can apply the generalization rule, as x 0 are not free in the translated context | Γ | . Indeed, x 0 are fresh variables and they could have appeared free only via terms t 1 , . . . , t n , were these not empty tuples (hence the need for restricting the original context). We thus obtain | Γ | s = r and further apply CmpAx to get | Γ | | B | (s) → | B | (r) . Note that the axiom is required here, as | Γ | may contain general 21 formulas.
With g :≡ λ u . u and f :≡ λ u , v . v we have thus constructed a verifying proof The new realizing terms f , g are closed, hence the free variable condition trivially holds.
Note that f and g may at most depend on the type ρ (they do not depend on concrete terms s , r), see also the first example in Section 4.2.
2.5. Numbers. Since the induction rule (for numbers, see Table 5) corresponds to an unbounded number of contractions of each assumption from the step context ∆ (cf. [Her06]), its clone in the system NA l is subject to a restriction like the one of C l . Namely, we need to require that all refutation relevant avars in ∆ satisfy (cf. Remark 2.1). Moreover, since the contractions on a ∈ Γ ∩ ∆ will be handled differently than for simple binary rules like → e or ∧ i , it is more convenient to require that induction over numbers in NA l implicitly contracts all its refutation relevant assumptions (instead of using the explicit C l ). We will use the notation Γ ∆ for a special multiset union in which refutation relevant assumptions appear only once, even if they appear in both Γ and ∆ .
Thus the Ind N l rule of NA l is finally obtained by replacing ' Γ , ∆ ' with ' Γ ∆ ' in the conclusion sequent of Ind N . For the verifying proof, we are given is a theorem of NA , where t [n] :≡ R n r ( λ n . s ) (2.5) for every corresponding pair r ∈ r / s ∈ s and ζ [n] will be constructed as functional terms depending on v . We here intentionally use the same variable n that occurs freely in s and t . Implicitly, just t denotes t [n] . Also ζ will be constructed as the collection of all ζ (corresponding to Γ \ ∆ ) and ζ (corresponding to ∆ ). Here u z denotes the tuple union corresponding to the multiset union Γ ∆ , i.e., witness variables corresponding to refutation relevant assumptions in Γ ∩ ∆ appear only once. Let b : B be a refutation relevant avar in Γ ∆ . Let γ ∈ γ and / or δ ∈ δ be the challengers for b in Γ and / or ∆ . If b appears only in Γ (hence not in ∆ ) we define If b appears in ∆ , then the decidability of | B | is needed at each recursive step to equalize the terms p ( t t v ) obtained by the recursive call with the corresponding terms 21 The verification in a VSys with Spector's rule of extensionality (instead of axiom), employed as CMP in our framework, would already fail for Π 0 1 assumptions in Γ , as first discovered by Kohlenbach in [Koh01]. δ . Thus the right stop point of the backwards construction is provided. In fact an implicit contraction over b happens at each inductive step and guarantees that | B | is decidable.
and for b ∈ ∆ \ Γ we define its ζ [ n ] by replacing in (2.7) the γ with canonical zeros.
Here z are the challenge variables corresponding to formula B . Notice that We attempt to extend (2.9) to the whole ζ by proving from (2.10) the following We obtain this as an immediate consequence of (2.12) , by (2.10) we get and thus (2.12) follows via Stab (which is fully available in the verifying system). We now prove (2.4) by an assumptionless induction on n . Let ζ * be the collection of all ζ and those ζ corresponding to Γ ∩ ∆ . For n ≡ 0 it is sufficient that and via easy deductions in NA we get (2.14) With (2.9) and (2.11) we can rewrite (2.14) to In (2. 3) we substitute x → t [n] and get 2.6. Motivation for the modal induction rule. We have treated the most general situation, with all context sets Γ \ ∆ , Γ ∩ ∆ and ∆ \ Γ inhabited by refutation relevant assumptions, and conclusion formula A accepting both witnesses and challengers. Many particular situations amount to easier treatments, with simpler extracted terms. These can be obtained as simplifications of the general witnesses and challengers presented above, by means of the reduction properties of the empty tuple ε (practically the same as for the isomorphic nullterm from Section 7.2.4 of [SW11], also denoted ε).
We outline below only those particular cases which are relevant in connection with the modal induction rule Ind m N (cf. Section 4.1): • If Γ ∪ ∆ contains no refutation relevant assumption, but A(n) is refutation relevant, then terms t are not part of the realizers for the conclusion sequent, in this case only t . Hence t would be redundantly produced and a mechanism is needed to prevent their construction. This is ensured by in front of the step A(n) at Ind m N . • If A(n) is refutation relevant, ∆ has no refutation relevant element but Γ is refutation relevant inhabited, then δ and ζ are empty. Yet ζ * ≡ ζ has to be produced as (2.6) and includes t [n] ; this no longer will be the case for Ind m N (cf. technical details at the end of Section 4.1 further in the sequel; challengers γ simply are preserved for | Γ | ).
• If A(n) is refutation irrelevant then v , t and t t v are empty tuples. Thus ζ ≡ γ and (2.7) simplifies to [ recall that n ∈ FV ( γ ) , n ∈ FV ( t ) , and possibly n ∈ FV ( δ ) ] 3. Modal system NA m and light modal system NA m l The usual propositional restriction on the introduction rule for the necessity operator is that all contextual assumptions had been discharged prior to the rule application (which amounts to forcing Γ ≡ ∅ at standard i ). In the natural deduction presentation of standard modal logic, i cannot be unrestricted or A → A becomes a theorem, thus all occurrences of becoming redundant. Our restriction on i is strictly weaker, as, e.g., allows any context Γ whose formulas are all refutation irrelevant (this is akin to Prawitz's 'first version' in [Pra65]VI. §1) and any context at all if the conclusion is refutation irrelevant. Thus, A → A not only is more generally possible in our quantified modal systems, it even defines a quite interesting class of formulas, see Definition 4.3.
We polymorphically use the 'proof gate' m for both NA m and NA m l , and use m l to stress that the proof belongs to NA m l . The constraints outlined below the tables on page 6 smoothly adapt to the insertion of (into the input system NA l , through i and AxT), eventually followed by the removal of ∀ − , ∀ + and ∀ ∅ , and also to the upgrade from to , as described in the sequel (cf. new tables on page 15, with C m for C l and Ind N m for Ind N l ). For the necessity operator we have the following enhanced introduction rule, which admits many more premise sequents than usual (as the context Γ may be inhabited): where Γ is restricted depending on the (light) modal translation of the proof of A from Γ , in a way that is akin to the condition (+) on the ∀ i + rule from page 7; see Definition 3.2 further below.
The following axioms of modal propositional logic S 4 (cf. [Sch68], Chapter VII; see also Chapter 9 of [TS00]) are part of NA m and NA m l : In fact only AxT is needed as an axiom of our non-standard modal systems. Of course, AxT c and Ax4 c had been syntactically deducible from AxT and respectively Ax4 already in the propositional modal system S 4 , only using minimal logic (the proof of Ax4 c also uses AxK and the empty-context i ). It turns out that also Ax4 and AxK are easily deducible in NA m / NA m l just from AxT (and only using minimal logic), given our very liberal necessity introduction rule, see Definition 3.2 below.
Note that Stability ¬ ¬ B → B needs to be restricted already for NA m , due to the necessary restriction on Contraction, cf. Definition 3.6 in the sequel, see also Remark 4.4.
We denote by A → k B :≡ A → B the so called 'Kreisel implication' 22 , since its translation by (light) modal Dialectica is akin to its Modified Realizability interpretation. Basically, if A is a formula in which all implications are Kreisel ones, then the modal Dialectica interpretation of A is logically equivalent (provably in NA ) to the modified realizability interpretation of A; see Lemma 3.2 of [Oli06b] and also [Oli15].
Note that even though our Kreisel implication looks similar to the so-called 'lax implication' (cf. [PD01], Section 7), here we are not concerned with a standard (intuitionistic) modal logic (see Remark 4.4 at the end of Section 4). Ditto for the (classical) translation of under the Curry-Howard-style modal functional interpretation of De Queiroz and Gabbay (cf. [dG97], see also Section 7 of [ddG11] for an updated survey). 22 See Section 3.2 of [Oli12] for a sketch of this construct and its design difficulties within the multi-modal linear setting. See also [Pra65], Chapter VII "some other concepts of implication" for a discussion on notions of stronger implication which appeared since early research on modal logic. 23 Any decidable formula can (and should) be given via its associated boolean term, e.g., one should rather use at (Odd(x)) instead of the more verbose ∀y ( 2 y = x ) , which is refutation relevant in a somewhat artificial and probably unintended way. AxT:  Table 7: Logical rules of NA m and NA m l , with z ∈ FV ( Γ ) at ∀ i and contractions due to → e and ∧ i explicitated as anti-rules, see Table 9; no implicit contractions at → i As an immediate consequence, Definition 3.2 (Necessity Introduction). The restriction on i is relative to programs synthesized from the proof of the premise A of this Natural Deduction rule, unless all formulas in the context Γ are refutation irrelevant or A is refutation irrelevant. Namely, with Γ ≡ { a 1 : A 1 , . . . , a n : A n } and A ≡ A 0 , the restriction is that x 0 ∈ ∪ n i=1 FV ( t i ) in the translated premise sequent a 1 : | A 1 | x 1 t 1 , . . . , a n : Thus admissible input proofs are inductively defined together with their extracted programs and their corresponding translated (verifying) proofs. Note that could be defined in terms of → k as A ≡ (A → k ⊥) → ⊥ , since NA features full stability Stab.
Definition 3.3 (light modal Dialectica translation of formulas). The following are added to the above Definition 3.1 (the deduced translation of ∃ ∅ z is outlined below for use at the end of Section 4.2; see also the proposed intuitionistic extension in Section 5): Remark 3.4. The light modal translation of formulas only adds | A | x :≡ ∀y | A | x y to our light translation from [HT10] (cf. Section 2 of this paper, in particular Example 2.2). Formula A is realization relevant also under (light) modal Dialectica if the tuple of witness variables x of its translation | A | x y is not empty and similarly A is refutation relevant if the tuple of challenge variables y is not empty (see also Footnote 14).
Correspondingly, A is realization irrelevant if it is not realization relevant (i.e., x is an empty tuple), and A is refutation irrelevant if it is not refutation relevant (i.e., y is an empty tuple). [ See also the more technical definition in Section 2.2 ] Remark 3.5 (restriction violation for i ). In an automatized interactive search for modal input proofs of some given specification, we can temporarily allow unrestricted (or lesser restricted) instances of i and postpone the validity check for when the proof of its premise is fully constructed. This approach would be similar to the so-called 'computationally correct proofs' mechanism of [Tri12], or 'nc-violations' check since pre-decorate Minlog versions.
For efficiency reasons, we recommend the use of modal operators whenever possible instead of the above partly (or non) computational quantifiers ∀ + , ∀ − , ∀ ∅ and ∃ ∅ . It thus makes sense to study the (pure) modal Dialectica in itself, as the use of such light quantifiers may not be needed in many cases of interest.
It should be easier to construct a strictly modal (i.e., without light quantifiers) input proof, also for a (semi) automated proof-search algorithm. Nevertheless, it is the light variant of modal Dialectica which provides the larger range of possibilities, particularly for situations where the simpler, 'heavier' modal Dialectica would not suffice.
Definition 3.6 (Contraction restriction ). We upgrade the restriction (cf. Remark 2.1) on the computationally relevant contractions (those over refutation relevant open assumptions A), such that the interpretation | A | must be decidable (rather than strictly quantifier-free). This applies to contexts ∆ of Ind N l as well, cf. Section 2.5. In the new modal context one needs to take into account also the translation of the necessity operator, as this introduces new quantifiers. These may alter the decidability of the translated formula (relative to the corresponding non-modal formula obtained by wiping out all instances of ).
Thus, given that there is no generic algorithm for the decidability of first-order formulas over N , the user needs to supply a boolean term and a proof that the respective term is equivalent to the translation of the contraction formula. E.g., add ∀y (2y = x) ↔ at (Odd(x)) as global assumption (cf. [Sea]), see also Footnote 23.
, holds (in Peano Arithmetic PA ω ). Whenever B( z ) amounts to a predicate falsified for a set of values corresponding to z , any such constructible inhabitants would realize Ax5 by invalidating the premise of its translation (e.g., for A ≡ ∀z(z = N 0 ) , B(z) ≡ z = N 0 , with any non-zero number a realizer).
Many instances of Ax5 are nonetheless unrealizable, like whenever A is a universal formula whose negation cannot be witnessed constructively. For example, take A :≡ ∀z ¬ T (x, y, z) with Kleene's T predicate: Ax5 then translates to ¬ T (x, y, z) → ∀z ¬ T (x, y, z), equivalent to H(x, y) → T (x, y, z). A realizer t A [x, y] for z cannot be expressed in T , as that would imply such an Universal Turing Machine (UTM) existed, while the mere existence of a total UTM enfolds decidability of the Halting Problem H (cf. Examples 3.7).
Notice that ♦ ∃x A is akin to Berger's uniform existence {∃ x} A from [Ber93], where one does not care about the witness for ∃ x (which is actually deleted from the extraction). We can thus see ♦ as an extension of Berger's appliance to more general formulas than just existential ones.
On the other hand there are situations when and ♦ are too general contrivances and separate annotations for each quantifier are a better answer for the problem at hand. In some of these cases it may still be possible to use the modal operators if one changes the input specification and its proof. Also due to AxT, it follows that m A ↔ A for any necessary formula: placing in front of such A would be logically redundant (this is akin to Prawitz's "essentially modal" formulas in [Pra65]VI. §2, 'second version', see Section 2 of [MM08] for a concurrent approach).
We say that an occurrence of is meaningful (i.e., non-redundant) in front of any formula that is not necessary cf. Definition 4.3.
Note that all refutation irrelevant formulas are necessary formulas. It is easy to see that some of the refutation relevant formulas are necessary, e.g., ∀ x ⊥ and ∀ x (in fact any A s.t. m A or m ¬ A in NA m or NA m l ). However, even if such formulas syntactically do require challengers, these functionals turn out to be redundant and can soundly be discarded by a , without the need to change any other component of the input proof. In fact, a formula A is necessary iff it can be proved equivalent (in NA m or NA m l ) to a refutation irrelevant formula B. Indeed, for a necessary A take B :≡ A . For the converse we can use the long implication A → B → B → A , where for the last implication a contextless i together with AxK was used. [ see also [Pra65]VI. §2 for modally closed formulas ] Therefore, the 'necessary' class captures those formulas whose negative computational content can always be erased regardless of the context in which they are used. On the other hand, there are cases when can soundly be applied to a non-necessary formula, leading to cleaner (and thus better) extracted programs (see Section 4.2 below).
Remark 4.4 (non-standard modal). It would appear that our Arithmetic NA m is able to prove new modal theorems and even sentences that are invalid in Schütte's semantics. On 3:20

D. Hernest and T. Trifonov
Vol. 17:4 the other hand, our restriction is not present in the usual first-order modal logic systems, thus some of the classical modal theorems will no longer be theorems of NA m .
Yet we suspect we are not far from Prawitz's VI. §4 'fourth version' for C S5 with discharge function for normalization.
The Barcan formula ∀z A(z) → ∀z A(z) is inadmissible in our modal systems (it is T -unrealizable in general, similar to Ax5); although invalid in Schütte's S 4 (cf. Anmerkung at the end of [Sch68].I. §3), it is provable in Prawitz's C S5 for modally closed A (see page 78 of [Pra65]VI. §2). However, the Converse Barcan formula ∀z A(z) → ∀z A(z) is admissible (it is bluntly realizable, similar to AxT). We thus suspect that some form of an increasing domain semantics will be suitable for our systems; see Sections 2.5, 2.9 of [BG07].
4.1. Modal induction rule. As first argued in [HO08], induction (for numbers, but more generally also for lists, as algebra N is a particular case of inductively defined lists) should rather be treated in a Modified Realizability style whenever possible under Dialectica extraction. In our non-standard modal context we can introduce the following modal induction rule for NA m and NA m l , which is defined with a Kreisel implication at the step: This is an upgrade of the similar rule from [HO08] (given at the linear logic level, see also [Oli12]), as it allows for non-empty contexts. While the base context Γ is unrestricted, the step context ∆ is made entirely of refutation irrelevant assumptions of shape D.
Thus the step context restriction as for Ind N m is satisfied by default, since it only concerned refutation relevant assumptions 26 . Note that if D already is refutation irrelevant, placing in front of D is somewhat redundant. We could refine Ind m N by splitting the step context into ∆ which consists of refutation irrelevant assumptions not of shape D and ∆ ≡ ∆ . Nonetheless such ∆ would only contain necessary formulas (cf. Definition 4.3).
The treatment of Ind m N under (light) modal Dialectica is much easier than the one of Ind N m . In fact Ind m N is a good simplification of Ind N m for situations when the whole context is made entirely of refutation irrelevant assumptions but A(n) is a refutation relevant formula. The challenger for A(n) in the step conclusion would be unneededly produced during the treatment of such Ind N m , as it becomes no part of any of the witnesses for the conclusion sequent. Placing in front of the negatively positioned A(n) thus ensures a minimal optimization brought by Ind m N , in this particular case simply by elimination of redundancy: the conclusion witnessing terms are the same as for Ind N l (cf. Section 2.6). A more serious optimization concerns the challengers of | C | for refutation relevant assumptions C from the Γ context. These are simply preserved by Ind m N , while under Ind N m they would include the challengers for the step A(n) . If A(n) were refutation 26 The decidability of their translations in NA were needed for case distinction in their corresponding challenge realizers, cf. Section 2.5 for Ind N l , which is the same for Ind N m , only with term-equivalent | B | by default provided by the user at (2.7). irrelevant, it would still make sense to use Ind m N instead of Ind N m , if one is not interested in the challengers for the refutation relevant assumptions from the step context.
While for such particular instances of Ind N m we already have the preservation of challengers for refutation relevant assumptions strictly from Γ , still challengers for the refutation relevant step assumptions are more complex in the conclusion sequent (they include a meaningful Gödel recursion, even though here a challenger for the step negative A(n) is no longer comprised since it does not exist). Thus Ind m N can bring an improvement over Ind N m by wiping out the step challengers altogether, should these not be needed in the global construction of the topmost realizers for the goal specification.
It turns out that Ind m N strictly optimizes Ind N m in many (if not most) situations. Yet Ind N m will be employed whenever Ind m N simply cannot be applied for the goal at hand. Modal induction rule -technical details. We are given both the following ) from the latter we easily obtain With t [ n ] :≡ R n r ( λ n . s ) for every corresponding pair r ∈ r / s ∈ s we show by induction on n in NA with base context | Γ | u γ and step context | ∆ | z that As t [ 0 ] ≡ r the base is given by (4.1) and the step follows from (4.2) with x → t [n] since t [ S n] ≡ s t [n] . Thus challengers γ are simply preserved for | Γ | and witnesses t [n] are easily constructed for | A(n) | in the conclusion sequent of Ind m N .
Remark 4.5. Our modal induction rule is equivalent to a special case of Ind N , since a can be placed in front of A(S n) from the step sequent of Ind m N . The equivalence of the two formulations for the step sequent can easily be proved using AxT, Ax4, AxK and i . Extracted terms are the same and the verifying proof only gets more direct.

4.2.
Revisited examples. The weak extensionality of modal input systems NA m and NA m l can be expressed by means of the following modal compatibility axiom (the usual compatibility axiom, but with the outward implication changed to a Kreisel implication; see [Oli12]-Introduction for the akin formulation in linear logic using a 'Kreisel modality' ! k ) By straightforward calculations, it is easy to see that CmpAx m is realizable under (light) modal Dialectica by simple projection functionals, with the verification in the fully extensional NA given by the corresponding compatibility axiom CmpAx . The realizing terms are same f , g as for CMP ρ at the end of Section 2.4, here just grouped in tuples.
In [HO08] the following class of examples was considered: theorems of the form possibly with parameters, where the negative information on x is irrelevant, while the one on y is of our interest. Then it must be possible to adapt the proof of (4.3) to a proof in NA m or NA m l of ( ∀ x A ) → ∀ y B → ∀ z C . As noticed by Oliva in [Oli12], the Fibonacci example first treated with Dialectica in [Her07] falls into this category. Oliva also suggested an interesting example, which motivated the definition of our positively computational quantifier ∀ + (cf. Example 2.2 and Definition 3.3): "Any infinite decidable set P of natural numbers contains elements which are arbitrarily far apart". The claim can be formalized (in an extension of NA with proper predicate symbols) as follows: This statement can be proved only via a contraction on the premise, and as a result (the negative universally quantified) x gets refuted by a term involving case distinction on | P | . If nonetheless only the witnesses of n 1 and n 2 are needed, then the redundant challenge for x can simply be discarded by means of a in front of the premise, effectively applying a Kreisel implication. This example is of the form (4.3) and was extensively treated in Section 4 of [HT10]. It can even be treated with the hybrid Dialectica from [HO08]; we here only bring the more instrumental solution.
The example can be extended so that the premise becomes more involved (cf. [Tri12], Example 5.3 on page 114): ∀ m ∃ n Q(n, m) → ∃ n 1 Q(n 1 , S m) → ∃ n 0 Q(n 0 , 0 ) → ∃ n 2 Q(n 2 , S S 0 ) (4.4) Again, a contraction must be used, and two semi-computational quantifiers need to be applied in order to erase the negative computational content. The light specification corresponding to (4.4) would then be written as: This solution is withal not desirable, as the light annotations would only apply to a special class of binary relations Q for which the witness n 1 for Q(n 1 , S m) does not depend computationally on the witness n for Q(n, m) for any m , hence reducing the generality of the claim. A fix would then be to extend the light annotations to implications, as in [Tri12]. However, a much simpler and more elegant approach is to use a Kreisel implication, by placing in front of ∀m ∃ n Q(n, m) → ∃ n 1 Q(n 1 , S m) at (4.4). The negative content of the main premise will thus be fully erased and the positive one will be fully preserved, achieving a Modified Realizability effect. We also mention a proof for the 'integer root example' (first considered in [BS95]): "every unbounded integer function has an integer root function". The statement can be formalized (in negative arithmetics) as follows: term and the expression denote one and the same program, but in Table 5.3 the extraction of the program is shown in a stepwise manner, so that every step can be related to the proof and to the interpretation. Figure 5.3 represents an operationally cleaner Scheme program. No normalization is happening between Table 5.3 and Figure 5.3: the second author avoided it, as (uncontrolled) normalization can produce a slower program. 29 In front of the conjunction Decr(l, n)∧ Same(l, n) , see Corollary 3.6 on page 63 of [Tri12]. At the time of writing of [Tri12] the Minlog implementation of ∀ ∅ was not operational for proofs involving case distinction (for numbers) like the one produced by the second author for comparison with the A-translation approach (cf. [Sea]-14.1, [SW11]-7.3). To address this problem, the first author rearranged the input specification in [HT] so that two → can be rewritten as →k , otherwise the modal input proof essentially is equivalent to the proof used by the second author in [Tri12]. The case distinction treatment of ∀ ∅ was subsequently fixed in Minlog and thus any of the two versions of the proof (modal, or light-only) may now be used. E.g., the Dialectica extracted term from the (classical) proof of IPP (Infinite Pigeonhole Principle) can be (re)used further in the synthesis of programs that employ IPP as lemma (such as the Unbounded Pigeonhole Principle). A natural continuation of the work reported in this paper concerns the addition to our input systems of strong (intuitionistic) elements. Besides the strong ∃ and its light associated ∃ ∅ (originally from [Her06] where it was denoted ∃ , see also [Tri12]), strong possibility ♦ also needs to be considered as the intuitionistic dual of necessity .
The following clauses would then be added to Definition 3.1 for getting the strong modal Dialectica interpretation | ∃ z A(z) | z, f y :≡ | A(z) | f y and | ♦ A | y :≡ ∃ x | A | x y , and further | ∃ ∅ z A(z) | x y :≡ ∃ z | A(z) | x y to Definition 3.3 in order to obtain the strong light modal Dialectica interpretation.
Intuitionistic (light) modal arithmetical systems will first be considered at input for 'strong' program synthesis. Then their enhanced classical counterparts will be interpreted, modulo some negative translation. Such systems will soundly extend NA m with ♦ and ∃ , and NA m l also with ∃ ∅ . Nevertheless, certain restrictions may need to be applied on NA m and / or NA m l before attempting such extensions with intuitionistic elements 30 . In Section 3.2 of [Oli12] Oliva suggested labelled contexts in order to deal with the technical difficulties of having both the Kreisel and the usual (Gödel) implications in intuitionistic logic IL ω . Our implementation in Minlog of → k identifies those "Kreisel" assumptions as the ones discharged at --> introduction; they are marked so that no realizer is extracted for their negative side. In the modal language, we can say that they are "boxed" by means of , which acts as a "Kreisel" label. The restriction from Definition 3.2 then has to be checked for the proof of the premise of an --> elimination.
It is straightforward that the hybrid system with → k is fully expressible in NA m ; the question is whether NA m could nicely be expressed in a system with the Kreisel implication as primitive, given that | A | ↔ NA | (A → k ⊥) → ⊥ | . Perhaps a Kreisel negation ¬ k were more suitable, with | ¬ k A | ↔ NA | (A → k ⊥) | .
The design of the monotone variant of modal Dialectica is under construction, since it has been known for some time that a (heterogeneous) combination of modified realizability and classical Dialectica was successfully used by Leuştean for proof mining (cf. [Koh08]) an exceptional approximation result in metric fixed-point theory (cf. [Leu14,Leu10]). See also [Her09] for a synthetic analysis of the impact of the precursor of into Kohlenbach's advanced framework for Proof Mining; note that our base logical framework is equivalent to the one used by the proof miners, cf. Section 1.1.11 of [Tro73], see also [Luc73]. Recent works by Powell [Pow20] and Şipoş [Şip] would be suitable for implementation in [HT], as indicated by Kohlenbach. Last but not least, the interplay between proofs and programs in our non-standard modal systems may be suitable for the discovery approach of DreamCoder [EWN + 20]. Instead of incrementally building (by intervention of human operators) an information 30 See [MM08] for weak normalization of standard first-order classical S5 (with strong existence and strong possibility) and Chapters 4 and 7 of [Sim94] for an intuitionistic account of intuitionistic modal logic.

D. Hernest and T. Trifonov
Vol. 17:4 system associating realizers to (admissible) proofs of Lemmata (as building blocks for the semi-automated search of programs from prima facie non-constructive proofs of Theorems) we could then have the machine (re)discover Minlog and upgrade it to its modal variant.